Tools

HubSpot CSP Tool

Use this tool to more easily create a Content Security Policy header for HubSpot CMS. Add your domain below and whether or not your hosted in the EU data center, then generate your CSP header.

FAQs

Your questions, answered

What is a Content Security Policy (CSP)?

A Content Security Policy (CSP) is an added layer of security that helps detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection. It works by telling the browser exactly which dynamic resources (like external scripts, styles, and images) are allowed to load and execute on your website.

My site broke after adding a CSP! How do I fix it?

Don't panic! If tools, styles, or tracking scripts stop working after implementing your CSP, the browser is simply doing its job and blocking resources it doesn't recognize. Open your browser's Developer Tools and look at the Console. You will see clear red error messages stating exactly which domains were blocked by the CSP. Note those missing domains, add them to your policy string, and update your settings.

Should I use the "Enable nonce" option in HubSpot?

Enabling nonces provides a fantastic, strict layer of security by generating a unique, one-time token for scripts on every page load. However, you should only enable this if your website templates use HubSpot's native HubL asset loaders (require_js and require_css). If your site has hardcoded <script> tags sitting directly in the HTML, HubSpot cannot automatically attach the nonce, and your CSP will block them from running.

Where do I paste this CSP string in HubSpot?

To add your generated CSP to your live site, click the settings gear icon in your HubSpot portal. Navigate to Content > Domains & URLs. Next to the domain you want to update, click Edit > Update domain security settings. Go to the Security headers tab, and paste your final string directly into the Policy directives text box.

What is the safest way to test a CSP without breaking my site?

We highly recommend testing your CSP before enforcing it. You can do this by applying your generated string via an HTTP header checking tool or using a meta tag set to Content-Security-Policy-Report-Only. This tells the browser to monitor the site and print violations to your developer console without actually blocking any scripts or assets from loading.

Does this generator cover every third-party tool?

Our tool currently supports the most common marketing tools (Google Suite, LinkedIn, Hotjar, Unicorn Studio) alongside all mandatory HubSpot infrastructure domains. However, if you use niche chat widgets, custom CRMs, or other specialized tracking software, you will need to manually append their required domains to your final CSP string.